CVE-2026-42211

EPSS 0.42%
Veröffentlicht 02.06.2026 18:18:46
Zuletzt bearbeitet 04.06.2026 18:50:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Shopify ≫ React-router SwPlatformnode.js Version >= 7.0.0 < 7.14.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.331

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-42211

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42211

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42211

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42211